Vulnerability Details CVE-2020-26298
Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the `:escape_html` option was being used. This is fixed in version 3.5.1 by the referenced commit.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 51.1%
CVSS Severity
CVSS v3 Score 6.8
CVSS v2 Score 3.5
References
- https://github.com/advisories/GHSA-q3wr-qw3g-3p4h
- https://github.com/vmg/redcarpet/blob/master/CHANGELOG.md#version-351-security
- https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793
- https://lists.debian.org/debian-lts-announce/2021/01/msg00014.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFMYDIONVWATY7EB6EARDVXT47AYCRNM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNO4ZZUPGAEUXKQL4G2HRIH7CUZKPCT6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXNNWHHAPREDM3XJDACYRTK7DBMUONBI/
- https://rubygems.org/gems/redcarpet
- https://www.debian.org/security/2021/dsa-4831
- https://github.com/advisories/GHSA-q3wr-qw3g-3p4h
- https://github.com/vmg/redcarpet/blob/master/CHANGELOG.md#version-351-security
- https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793
- https://lists.debian.org/debian-lts-announce/2021/01/msg00014.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFMYDIONVWATY7EB6EARDVXT47AYCRNM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNO4ZZUPGAEUXKQL4G2HRIH7CUZKPCT6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXNNWHHAPREDM3XJDACYRTK7DBMUONBI/
- https://rubygems.org/gems/redcarpet
- https://www.debian.org/security/2021/dsa-4831
Products affected by CVE-2020-26298
-
cpe:2.3:a:redcarpet_project:redcarpet:1.17.2
-
cpe:2.3:a:redcarpet_project:redcarpet:2.0.0
-
cpe:2.3:a:redcarpet_project:redcarpet:2.0.1
-
cpe:2.3:a:redcarpet_project:redcarpet:2.1.0
-
cpe:2.3:a:redcarpet_project:redcarpet:2.1.1
-
cpe:2.3:a:redcarpet_project:redcarpet:2.2.0
-
cpe:2.3:a:redcarpet_project:redcarpet:2.2.1
-
cpe:2.3:a:redcarpet_project:redcarpet:2.2.2
-
cpe:2.3:a:redcarpet_project:redcarpet:2.3.0
-
cpe:2.3:a:redcarpet_project:redcarpet:3.0.0
-
cpe:2.3:a:redcarpet_project:redcarpet:3.1.0
-
cpe:2.3:a:redcarpet_project:redcarpet:3.1.1
-
cpe:2.3:a:redcarpet_project:redcarpet:3.1.2
-
cpe:2.3:a:redcarpet_project:redcarpet:3.2.0
-
cpe:2.3:a:redcarpet_project:redcarpet:3.2.1
-
cpe:2.3:a:redcarpet_project:redcarpet:3.2.2
-
cpe:2.3:a:redcarpet_project:redcarpet:3.2.3
-
cpe:2.3:a:redcarpet_project:redcarpet:3.3.0
-
cpe:2.3:a:redcarpet_project:redcarpet:3.3.1
-
cpe:2.3:a:redcarpet_project:redcarpet:3.3.2
-
cpe:2.3:a:redcarpet_project:redcarpet:3.3.3
-
cpe:2.3:a:redcarpet_project:redcarpet:3.3.4
-
cpe:2.3:a:redcarpet_project:redcarpet:3.4.0
-
cpe:2.3:a:redcarpet_project:redcarpet:3.5.0
-
cpe:2.3:o:debian:debian_linux:10.0
-
cpe:2.3:o:debian:debian_linux:9.0